Fabre

#1138842 Multiple vulnerabilities: CVE-2026-46447 CVE-2026-48681 CVE-2026-44917 #1138842

Package:: src:ironic

Source:: src:ironic

Submitter:: Thomas Goirand

Date:: 2026-06-22 06:11:13 UTC

Severity:: normal

Tags:

#1138842#5

Date:: 2026-06-04 15:13:40 UTC

From:

To:

Multiple vulnerabilities have been found on Ironic. Details here:
https://security.openstack.org/ossa/OSSA-2026-017.html
https://security.openstack.org/ossa/OSSA-2026-018.html
https://security.openstack.org/ossa/OSSA-2026-019.html

#1138842#10

Date:: 2026-06-05 21:41:37 UTC

From:

To:

Hello,

Bug #1138842 in ironic reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/ironic/-/commit/b18282faabc957991fda9d4831828a30d659f747
------------------------------------------------------------------------
* CVE-2026-44917: Ironic does not validate the location of
    node.driver_info[pxe_template], allowing a user who can set it to expose
    arbitrary files on an internal Ironic network, such as the servicing,
    provisioning, or cleaning networks. Applied upstream patch:
    - CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch
  * CVE-2026-46447: A user with access to add or modify node.driver_info or
    node.instance_info can create a crafted value to enable iPXE script
    execution during the boot process. Applied upstream patch:
    - CVE-2026-46447_Sanitize-kernel_append_parms.patch
  * CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform
    path traversal and overwrite files on a conductor's disk.  Applied upstream
    patch:
    - CVE-2026-48681-directory_transversal_ISO9660_support.patch
    (Closes: #1138842)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1138842

#1138842#15

Date:: 2026-06-10 14:05:36 UTC

From:

To:

Hello,

Bug #1138842 in ironic reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/ironic/-/commit/9841ca243d9e512847dbf148a7e9efdb15f041b5
------------------------------------------------------------------------
(Closes: #1138842)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1138842

#1138842#20

Date:: 2026-06-11 20:47:06 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138842@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 01 Jun 2026 09:59:53 +0200
Source: ironic
Architecture: source
Version: 1:29.0.5-0+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138842
Changes:
 ironic (1:29.0.5-0+deb13u2) trixie-security; urgency=medium
 .
   * CVE-2026-44917: Ironic does not validate the location of
     node.driver_info[pxe_template], allowing a user who can set it to expose
     arbitrary files on an internal Ironic network, such as the servicing,
     provisioning, or cleaning networks. Applied upstream patch:
     - CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch
   * CVE-2026-46447: A user with access to add or modify node.driver_info or
     node.instance_info can create a crafted value to enable iPXE script
     execution during the boot process. Applied upstream patch:
     - CVE-2026-46447_Sanitize-kernel_append_parms.patch
   * CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform
     path traversal and overwrite files on a conductor's disk.  Applied upstream
     patch:
     - CVE-2026-48681-directory_transversal_ISO9660_support.patch
     (Closes: #1138842)
Checksums-Sha1:
 70aade674903b0ded38aa860f06758790763d067 4096 ironic_29.0.5-0+deb13u2.dsc
 b6b17bf8a174467edda78a62b7136c12b4058129 1892376 ironic_29.0.5.orig.tar.xz
 429d4a7c86c46e60305de1f9f2ac7083f2c88720 57556 ironic_29.0.5-0+deb13u2.debian.tar.xz
 c281e764433eb557e0689a7bab0927e125887b59 22929 ironic_29.0.5-0+deb13u2_amd64.buildinfo
Checksums-Sha256:
 644051745f51ae28144feada9955fdebdaa384c2396209c60e37bbed46bdb395 4096 ironic_29.0.5-0+deb13u2.dsc
 8381a472d7d79dc798a74917bf1cb8eb7795916d952643b64c7f5dc50532e6d9 1892376 ironic_29.0.5.orig.tar.xz
 f3d0bdc0238e59ddfc681ffffe72168f08476ee5f2ef5f44e8cb8dbfcd2d1787 57556 ironic_29.0.5-0+deb13u2.debian.tar.xz
 1febe90e906d54b85341345899a79d87b3d9d753503c0df4b89e412d9c8f3827 22929 ironic_29.0.5-0+deb13u2_amd64.buildinfo
Files:
 c7ba1099609a518d6e7d1f6297438145 4096 net optional ironic_29.0.5-0+deb13u2.dsc
 52695995363316a16620272afa449301 1892376 net optional ironic_29.0.5.orig.tar.xz
 109508b9c136ee0d34242d43fe9adf7d 57556 net optional ironic_29.0.5-0+deb13u2.debian.tar.xz
 c2dbe9d4061fab20e096ace9f3e3ca4e 22929 net optional ironic_29.0.5-0+deb13u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmopbyYACgkQ1BatFaxr
Q/4Y8w/8Cruvve6dGTkUTZsatuSNgjN+MG3CKpBYlX2UMb+kZQGTjuBu24a0KeZ2
KJqkAfISn4rTPeQrUbhMbwxS31vBYq7rIXm5kNbWUWey3W7I4al/g6CHiGZugPZB
vqiVVhffLCrampHg4fWhFAHJSkh4gKcs97qNVD5HVZijGUhxIC9BI4ou2Q/OYHKH
cdqw0+kiMlnByM/zuzV/EJnrSa1sURHiF1alQpG6GY23NxeMb3GLDnO5RmxpYZ4y
PqQbNw3u0Fj1ml76JhIJQJ2psWOviSrFa9Budii/CDCFPn+6e1vwj3hgGjYfVEEE
NwXCDzfbyoEkD6MOtWjaF4y66YdTy5ZGDWoG3emzRf4VqJN3wWlpPoDf34k+pHbV
wekqFlUc/N8WBRpwJFYAFhXFS4bORQ+QU+XZgkdvwxFEoDMftRykIy6WMVOXsi8d
Thg5WPF/ucKnig5eyUzxx1ujXP/o/et19TKngA/gve7oRD27+P1T4RClNIlN9WkW
92hKNe6FmQQDpdR5xAJN4Fwse0vbs+5rCTsFigv7FNwOurnOCDLxug6ylC3VFOeZ
mvPzR5eSR6+LRcpXC+M24I6KPTShgGStxy005PfKt9Trz7sHoC86tp0JORQVU5J5
8ZFX7SZ8gFL20e7QGxCw2BnqrFbJB9W4guZhd1LdHyYARmC84CQ=
=VvVP
-----END PGP SIGNATURE-----

#1138842#25

Date:: 2026-06-11 20:48:09 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138842@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 08 Nov 2024 16:10:43 +0100
Source: ironic
Architecture: source
Version: 1:21.4.4-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135898 1136005 1136655 1138842
Changes:
 ironic (1:21.4.4-0+deb12u1) bookworm-security; urgency=medium
 .
   * New upstream point release. Fixed CVE-2024-44082.
   * CVE-2026-44917: Ironic does not validate the location of
     node.driver_info[pxe_template], allowing a user who can set it to expose
     arbitrary files on an internal Ironic network, such as the servicing,
     provisioning, or cleaning networks. Applied upstream patch:
     - CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch
   * CVE-2026-46447: A user with access to add or modify node.driver_info or
     node.instance_info can create a crafted value to enable iPXE script
     execution during the boot process. Applied upstream patch:
     - CVE-2026-46447_Sanitize-kernel_append_parms.patch
   * CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform
     path traversal and overwrite files on a conductor's disk.  Applied upstream
     patch:
     - CVE-2026-48681-directory_transversal_ISO9660_support.patch
     (Closes: #1138842)
   * CVE-2026-44919: during image handling, an infinite loop in checksum
     calculations can occur via the file:///dev/zero URL. Add upstream patch:
     move_file_url_validation_up_into_deploy_utils_main_path.patch.
     (Closes: #1136655).
   * CVE-2026-44916: instance_info['ks_template'] is rendered without
     sandboxing. An attacker with sufficient access, an ironic deployment with
     the anaconda deploy interface, a node with the anaconda deployment
     interface set by an admin, and a malicious template could result in
     conductor internal data being rendered and if the infrastucture operator is
     allowing traffic egress for the provisioning network, could have sensitive
     internal data exfiled out of the environment. Applied upstream patch:
     - CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
     (Closes: #1136005).
   * CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
     Endpoints via Ironic’s idrac Configuration molds Feature. Add upstream
     patch validate_molds_url_against_swift_in_keystone_catalog.patch.
     (Closes: #1135898).
   * (build-)depends on python3-oslo.messaging >= 14.0.3-0+deb12u1~.
Checksums-Sha1:
 ef3b4ab2cf2baa6dd7a984e6a0d5e8ed1f3c6cd2 4097 ironic_21.4.4-0+deb12u1.dsc
 11a01ab37bd81ba31e2ff1d511a5976ca3bf7651 1573012 ironic_21.4.4.orig.tar.xz
 1a3c1f5397a9e2e7cfc55e07164fbae634d2d959 62084 ironic_21.4.4-0+deb12u1.debian.tar.xz
 ef8ac1f3c346ae4b4414519a0036cef784aed41a 23332 ironic_21.4.4-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
 88b7d2c9191e7a7f39ab6827bc60444ea282d17f35bc54ed93ea46744cbb7513 4097 ironic_21.4.4-0+deb12u1.dsc
 f7e7a771594958ad0355a27854c69dc5c7404acfb301073da980a1c966b4a65f 1573012 ironic_21.4.4.orig.tar.xz
 f576c737e5b0e5bf4793e86db437a2e386980cf2ac3d21193f112f5398105548 62084 ironic_21.4.4-0+deb12u1.debian.tar.xz
 65d0fc0dbd1b5a152ce91ee86bd5d061b8170fda7c2fc6fef581ed09f54b936b 23332 ironic_21.4.4-0+deb12u1_amd64.buildinfo
Files:
 2ada772091bc2fe503ad7d203651f838 4097 net optional ironic_21.4.4-0+deb12u1.dsc
 3dce1b73c9fc5033a096fd30751439f3 1573012 net optional ironic_21.4.4.orig.tar.xz
 7317e7acd75445ee1fca9205b16d5928 62084 net optional ironic_21.4.4-0+deb12u1.debian.tar.xz
 e603e9e800a4823736cb4f48c03e9bdd 23332 net optional ironic_21.4.4-0+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmophJgACgkQ1BatFaxr
Q/53qQ/+JEl12/bV3JGAeUA1EAVSdwhk9KEReaAlZgnH5m+UIee65+QRqGAUtW7i
+HmNU+HrPtxeYf7+rHcl/cCg2k576BW6dyRUnJE/tEkVtNH5Pe/tvL9B27hlQn23
k0tmKjkACqogKlPmnij7tXbhBBrXBO7YlFsKJJnR7CTQbPMEbp1bV/8yG97MWk7N
DzE3uM3oNzHm3vGa43oovSVm7g9reJWhzfR4BI6MLWsRSgl/e475FUkK8m875M3e
26AKCko03F3grEQV44mdVYTERmdfxlTIzhPBgLzi2Gu6yqj6Yy0/nr3UVavWuwYd
MZKio93fwr2V6ck01sFPDcoMHrTznT4rcsWO3gq5e5d6NFQsl1LYq0Qtrv1z1YR3
EvAJ+vZTJ3VdDM54xZDV+u6O/qEOa8F0hWF6/kvpnW6am5ObBO4U5fjoZE44+u/n
sgqoqIzuv12PNBPuYMft2E8l90Uhqlrsx1u4ZtZ9KinQH4MQrREKd7liAn91IFPQ
qXaJx3ef21ADajciJwF+8Qtgb5HkB7TXTJH1KK4ZesnpxDVGWJlMuCcujHw+dlVB
J58BXhiu+INQGAMJySkovamxglhAMd+B+2bVdkLcceyuC7Uu0eRmK9EB7idQlRlv
FpRFBu5ujJh3k2G0ronpEYDp8jSIToSfco2aiwllVyN5M4zbXQM=
=4IY2
-----END PGP SIGNATURE-----

#1138842 Multiple vulnerabilities: CVE-2026-46447 CVE-2026-48681 CVE-2026-44917 #1138842

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)